Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime
Malware Knocks Out Accounting Software Giant Wolters Kluwer
Outage Leaves Firm's Cloud-Based Tax and Accounting Software Customers ScramblingAccounting software giant Wolters Kluwer says it's continuing to attempt to recover from a malware attack that disrupted services for users of its cloud-based services. While some online chatter has suggested that ransomware may have been involved, the company has yet to publicly name the strain of malware involved.
See Also: Preparing for New Cybersecurity Reporting Requirements
Wolters Kluwer is a $4.8 billion global information services company based in the Netherlands that develops CCH, a suite of tax and accounting software that's available in both on-premises and software-as-a-service form. "Our customers include 90 percent of U.S. academic medical centers, 93 percent of Fortune 500 companies, 100 percent of the top U.S. accounting firms and 90 percent of the world's top banks," according to the company's 2018 annual report.
On Monday, customers of the company's cloud-based products began reporting that they were unable to access CCH software and services, that the company's support site was also unreachable and that the company's customer representatives didn't know what was happening.
"We are currently undergoing unscheduled maintenance," Wolters Kluwer tweeted on Monday. "Our technical teams are currently investigating the situation and are working as quickly as possible to restore systems. We appreciate your patience during this time."
On Tuesday, however, Wolters Kluwer confirmed that it had been attacked, noting that the company's security team had "started seeing technical anomalies in a number of our platforms and applications" on Monday, which they quickly discovered was due to malware.
— WK TAA US (@WKTAAUS) May 7, 2019
"As a precaution, in parallel, we decided to take a broader range of platforms and applications offline," the company says in its Tuesday statement. "With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates."
The company says it immediately called in third-party digital forensic experts and notified law enforcement agencies.
So Far: No Evidence of Data Breach
Wolters Kluwer says that so far, no customer data appears to have been stolen as a result of the attack. "We have seen no evidence that customer data was taken or that there was a breach of confidentiality of that data," it says. "Also, there is no reason to believe that our customers have been infected through our platforms and applications. Our investigation is ongoing. We want to apologize for any inconvenience this may have caused."
Whoever attacked Wolters Kluwer may have taken advantage of configuration errors in the company's site. Security blogger Brian Krebs on Tuesday reported that four days prior - on Friday - he'd worked with Alex Holden of Hold Security to contact CCH and warn them that file directories containing the company's new software "were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access." But Krebs said it wasn't clear if the misconfiguration and malware attack were connected.
Customers Signal Frustration
Customers have reported being unable to access essential CCH services in light of Wolters Kluwer's operations appearing to still be disrupted. "They have literally been off map for days now," one U.S.-based accountancy firm partner tells Information Security Media Group. "No email communications, their website's offline, phone support is down. Wolters Kluwer is the parent company for CCH, which seems to be the most impacted - and our primary vendor."
Without access to their accounting, bookkeeping and tax-preparation software, some accounting firms literally can't do their jobs.
Wolters Kluwer couldn't be immediately reached for comment. But the company tells CNBC that it's been working nonstop to restore affected systems.
"We have a really close relationship with our customers, and we understand that this situation impacted their day-to-day work," Elizabeth Queen, vice president of risk management for Wolters Kluwer, tells CNBC. "We're working around the clock to restore service, and we want to provide them the assurance that we can restore service safely. We've made very good progress so far."
Some Services Restored
Late on Wednesday, Wolters Kluwer said that it had restored the network running its CCH Axcess software suite and that some services were once again available.
"Our priority has been to bring the system up and get you back to work as quickly as possible. In order to do that, we have had to make a few choices, and a few functions are currently unavailable," the company says.
Tax returns cannot be electronically filed, sending and receiving emails is "performing slower than normal," new users cannot be activated and all support remains unavailable.
"Currently you will not have access to links to chat or support content; links to CCH Software news, or links to Knowledge Base Articles/Reviews," the company says.
Potential MegaCortex Ransomware Outbreak
In a discussion about the outage on Reddit, a self-described systems engineer for Wolters Kluwer said the company had been hit by MegaCortex ransomware. The comment was later deleted.
Security firm Sophos says the earliest strains of MegaCortext appear to date from Jan. 22, and that it detected a spike in such infections on May 1.
"We're still trying to develop a clearer picture of the infection process, but for now, it appears that there's a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims' networks with both Emotet and Qbot," Andrew Brandt of Sophos says in a blog post (see: 5 Malware Trends: Emotet Is Hot, Cryptominers Decline).
"If you are seeing alerts about Emotet or Qbot infections, those should take a high priority," he says. "Both of those bots can be used to distribute other malware, and it's possible that's how the MegaCortex infections got their start."
Chris Rose, a partner at Long Beach, California-based Ariento, a cybersecurity consulting and managed services provider that works with numerous certified public accountants, says any suggestion that MegaCortex was involved remains speculation, although he notes that dozens of attacks in recent days have used the ransomware.
In case attackers might attempt to use hacked CCH servers to distribute malware to customers, "we recommend blocking access to CCH servers as a precaution only and have done so for our clients," he said.
Such was the modus operandi seen in the NotPetya attack, which exploited a Ukrainian-based accounting software provider and then used its software update server to infect numerous organizations.